Office (OLE) malware analysis — malicious · 2b7d4d068bce584a

MALICIOUS

Office (OLE)

163.1 KB Created: 2006-01-25 08:30:00 Authoring application: Microsoft Office Word

MD5: 4fd2a673c9b0ca8cf705a27f0d29cca2 SHA-1: fedc6c78293f790a7bd92bbedd7b640b6413ac67 SHA-256: 2b7d4d068bce584a586c2ff1eef786f079ec138cb4e7b80fd048181fdb141a79

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1027 Obfuscated Files or Information

The OLE document exhibits a significant slack space anomaly, indicating potential obfuscation or embedded malicious content. Heuristic firings for VirtualAlloc, LoadLibrary, and GetProcAddress strongly suggest the file is designed to dynamically load and execute code. No document body or script content was available for further analysis, limiting the ability to identify specific delivery mechanisms or payloads.

Heuristics 4

Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 166,973 bytes but its declared streams total only 21,151 bytes — 145,822 bytes (87%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API

Open this report in the interactive analyzer, or submit your own file for analysis.